diff --git a/.env b/.env
index a8188f7..2c31b65 100644
--- a/.env
+++ b/.env
@@ -68,8 +68,6 @@ GRAFANA_EXTERNAL_PORT=3600
 GRAFANA_INTERNAL_PORT=3000
 STASH_EXTERNAL_PORT=9998
 STASH_INTERNAL_PORT=9999
-NAVIDROME_EXTERNAL_PORT=4533
-NAVIDROME_INTERNAL_PORT=4533
 MALOJA_EXTERNAL_PORT=42010
 MALOJA_INTERNAL_PORT=42010
 PAPERLESS_EXTERNAL_PORT=8004
diff --git a/docker-compose.yml b/docker-compose.yml
index 9db1ae4..ff47405 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -334,8 +334,6 @@ services:
   navidrome:
     image: deluan/navidrome:0.61.2
     container_name: navidrome
-    ports:
-      - "${NAVIDROME_EXTERNAL_PORT}:${NAVIDROME_INTERNAL_PORT}"
     env_file:
       - navidrome.env
     user: "${PUID}:${PGID}"
@@ -347,7 +345,10 @@ services:
         ipv4_address: 192.168.240.14
     labels:
       caddy: music.${DOMAIN_LOCAL}
-      caddy.reverse_proxy: "{{ upstreams $NAVIDROME_INTERNAL_PORT }}"
+      caddy.reverse_proxy: "{{ upstreams 4533 }}"
+      caddy.forward_auth: "authentik-server:9000"
+      caddy.forward_auth.uri: "/outpost.goauthentik.io/auth/caddy"
+      caddy.forward_auth.copy_headers: "X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name"
     restart: unless-stopped
 
   maloja:
diff --git a/navidrome.env b/navidrome.env
index 21eafd6..977b7dd 100644
--- a/navidrome.env
+++ b/navidrome.env
@@ -10,3 +10,6 @@ ND_PREFERSORTTAGS=true
 ND_ENABLEM3UEXTERNALALBUMART=true
 ND_ENABLEWEBPENCODING=true
 ND_UICOVERARTSIZE=600
+ND_EXTAUTH_TRUSTEDSOURCES=192.168.240.2/32
+ND_EXTAUTH_USERHEADER=X-Authentik-Username
+ND_EXTAUTH_LOGOUTURL=https://authentik.kucharczyk.xyz/if/flow/default-invalidation-flow/
\ No newline at end of file